Biometrics, Privacy and the Internet of Things – Interview With Samsung’s Steven Rahman

Steven Rahman, Director of Technology and Strategy at Samsung, leads a forward thinking team tasked with a critical mission: to secure and develop technology that will maintain the competitiveness of the Samsung platform.  As part of our 12th annual biometrics industry Year in Review, Peter O’Neill, president of FindBiometrics, had a chance to speak with Rahman about the state of consumer biometrics. Looking back on 2014 and ahead to the near future,  the conversation touches on a number of hot topics in identity management including the Internet of Things, the role of privacy in the development process, and what Rahman sees as two of the most exciting biometric technologies out there.

samsung-logo

*

Peter O’Neill, FindBiometrics (FB): From your perspective at Samsung what are the most exciting benefits that biometrics can bring to consumers?

Steven Rahman, Director of Technology and Strategy,  Samsung (SR): I think a lot of the reason why companies like Samsung and Apple are trying to bring biometrics to their devices is to help users deal with password fatigue.  Achieving a balance between ease of access and security is always going to be a challenge. What we are trying to do is create a more compelling user experience. If we can find a better way for people to unlock their devices while ensuring that personal data is protected, Samsung will differentiate its devices.  Offering that kind of protection differentiates Samsung from competitors who don’t have the ability to invest in those technologies or develop that sort of compelling experience. Now, when we talk about biometrics we also have to consider that many are concerned about where their private user data is stored, so one of the things that we are trying to do at Samsung is to design devices which include technologies that are going to enhance user privacy.

FB: FIDO has just announced their first specifications so do you think the end of passwords is in sight?

SR: I hope so. I think, like many people, everyone is tired of remembering their passwords and  constantly changing them. Samsung is a member of the FIDO Alliance and we are committed to improving user experience.  We are creating a platform where people feel their data is safe and accessible. We also want to make a platform where hackers feel like it will be too expensive to go after individual personal data. One of the reasons why we see hackers attempting to steal great amounts of passwords or credit card information elsewhere is that they see it as low hanging fruit. When you consider Samsung as a platform we are trying to make it unattractive to hackers.

FB: That is a very interesting point Steven. I guess anything can get hacked if you put enough time and energy into it. I agree with your point about the fact that it isn’t economically reasonable for the hackers to try and hack something that is going to take a long time. They want to get access that is quick and easy and can give them large volumes of information that they can do bad things with.

SR: That’s right.

FB: The most popular deployment of consumer biometrics is currently fingerprint authentication on smart phones; can you explain how the sensor on Samsung’s recent smartphones has improved the Galaxy line?

SR: Fingerprint authentication is going to be the first of many biometric solutions. Users are just learning how to unlock their phones with their fingerprint, but what we need to do is change their behavior so that there is a compelling reason for them to unlock their phones with fingerprints that is beyond just relieving them of the need to remember a password. I think what we are all waiting to learn what the killer app is going to be for biometrics.  It could be unlocking devices with biometrics for payments. I’m speculating that payments may be the killer app. Making payments is something that we do every day and it may be the thing that teaches users how to interact with devices without a password.

FB: I couldn’t agree more. The payment side of the industry is certainly heating up. There seems to be so much interest there.  You mentioned other biometric modalities, do you see others catching on in the near future and if so what might they be?

SR: I think that there are two which are very interesting to me right now. There is a company called EyeVerify that is developing a technology that uses computer vision to recognize users. It is exciting because a lot of the main criticism of biometrics is that you cannot change your fingerprint, you cannot change your biometric data.  But, EyeVerify has developed a methodology so that even though the capillaries in your eyes will never change, the platform uses that information in such a way that they can recreate new vocabularies of authentication that can constantly be reformed.   I think they have done a great deal in terms of easing people’s concerns around whether or not your biometric data could be compromised. The revocable nature of their technology I think is very interesting.

Another technology that people are waiting to see is the Nymi Wristband from Nymi. Salesforce and MasterCard have participated in a $10 million series A round of funding. What the Nymi Wristband does is it creates an electronic print using the unique electrical field generated by a user’s cardiac rhythms. I think both of these technologies are really exciting because they both transcend devices. I could see people using EyeVerify to perhaps interact with an ATM or even using the Nymi wristband to unlock their home or enter their car. So these two technologies excite me and I am looking forward to seeing them further developed in 2015.

FB: We are also seeing a lot of interest around biometrics like voice, because it is such a natural with mobility; and facial,  because the camera is already there; and iris now is rapidly gaining momentum too. It is quite remarkable. You mentioned wearables. How do you see wearable tech fitting into the lives of end users beyond fitness tracking applications?

SR: Well I think fitness tracking was the first wave in wearable technology and I think it is interesting for a segment of the population but not everyone is interested in tracking their vital signs and tracking their fitness.  When we hear that most wearables have been abandoned by users after six months I think it is because the wearable use cases have not been compelling enough for most people.

There is an interesting company called Omada Health which is taking a different tact to wearables.  They have identified a compelling user need.  They are trying to help people diagnosed with preclinical diabetes by using the cloud, an Internet enabled bathroom scale, and a wristband that monitors their steps among other data. Omada’s whole experience is about creating a very specific outcome for a very specific set of users in need of help. Creating useful User Experiences is where all wearable tech has to move. I see wearables in general changing the way how users are considering technology.

For example, everyone agrees that it is extremely rude to constantly pull out your phone at a restaurant or at a meeting and I think wearable technology will allow users to feel more confident that they can track important notifications and not miss them.  They won’t have to fumble around for a device or fear of losing track of what is actually happening to them in their digital lives. I think digital life and physical life don’t have to be in constant conflict and wearables are going to be a very useful technology there to bridge that gap.

That being said, I think wearables at the same time are extremely dangerous to the user. When I consider user wearables, I consider them in the context of the Internet of Things (according to Gartner, there will be nearly 26 billion devices on the Internet of Things by 2020).  For example they both require interesting radio connections, they both require low power but they also are very, very intimate devices. And this is why we need to figure this out before we build and create products.   We really need to understand how to protect users and improve user safety. Wearables could potentially allow the wrong person to figure out a person’s location and understand their context. It is definitely something that developers need to keep in mind and it is definitely something that I want to keep reminding people, that when you consider the Internet of Things and you consider wearables, you have to consider that these are devices could potentially harm users.  We have to be responsible as we develop these products and platforms.

FB: Is this a privacy concern that you are speaking about or is it more to do with location technology and stalking? What is your major concern?

SR: I think it is a little bit of both of what you just said. It is definitely user privacy. I don’t think a lot of people are comfortable being tracked. If they were going to adopt a wearable product they want to understand they will have the option of sharing their location or not based on what they feel is appropriate. And I think there are many who have had bad experiences with how their private user information has been exploited by others.

FB: I think education is going to be critical here Steven. It seems like a lot of people just don’t understand what currently is being shared through their credit card information, and with things that they are currently doing regardless of where mobility is heading. I think moving forward, educating and making sure that end users are totally aware of their privacy and in language they can understand, is going to be a critical component.

SR: Yes, and also bringing privacy, not as an afterthought, into the design process. Not as a thing that we should do after we have built the thing. It should be brought into the actual designs when we are creating devices.  For example, I’m just going to throw out an idea for a product which I will call a wearable baseball hat where it would contain a huge amount of relevant information about a sports game you are watching. So if someone were to design such a hat, instead of saying: “We have finished the design on this product, let’s now address privacy and attach privacy enhancing technologies to this thing,” why not start the design process with a set of requirements related to privacy from the very beginning?

FB: Absolutely, and I think the biometric industry has really got to take that step to involve the privacy folks early in the conversation.

When you look back on 2014 it really has been incredible year for the mobile area. What would you describe as being the defining moment in tech industry news specifically with regard to mobile devices?

SR: Well I think from the perspective of mobile devices and wearables there are two events for me. One of them was the launch of Apple Pay because it is going to get users comfortable with a completely new way of engaging with physical retailers. I think Apple Pay is going to mainstream payment technology in a way that changes user interaction with physical retailers forever. I think it is really interesting because it is getting decent adoption and previous efforts have so far failed. So in 2015, it will be interesting for me to see how Apple Pay is rolled out – especially so in the context of the new Apple Watch.

I also think that Apple has put biometrics on the radar for most people and they are also getting people more comfortable with the idea that they can give away some of their biometric data. I think biometric data on the consumer level is still in its early days. We have this thing called CLEAR in the airports in the United States, and what CLEAR does is it allows you to skip the security cue because you have already registered and provided some of your biometric data. The CLEAR lines are still very short and I think that indicates that users aren’t quite comfortable just yet.

The other event that I think is really interesting is the Estonian announcement of the e- residency program. I think it is extremely significant as it is the first time a government will provide full protection and authentication of an online identity. Estonia has produced a service that will guarantee the identity of a user in the physical world but also, during an online transaction. I think it is really significant because prior to this, we had relied solely upon the private sector for this level of authentication.

Estonia will make it possible for government guaranteed e-signatures.  I think the first e-residents were confirmed this week. One of them is Tim Draper (Tim Draper is Founding Partner of leading venture capital firms Draper Fisher Jurvertson, and founder of Draper University of Heroes). If Tim Draper is excited, I think you can imagine that there will be a lot of interest in supporting start-ups and technology companies that are going to further develop the ecosystem around the Estonian e-residency.

I think that it is very, very likely that we will see companies verifying a user’s identity by calling the Estonian e-residency API. Confirming the identity of Users this way will enable access to and protect increasingly more critical information such as banking and hospital information. So I am really looking forward to how the e-residency program will be adopted and how it will expand in 2015.

FB: Steven, thank you very much. Your comments are always very interesting and I wish you all the best in 2015.

SR: Thank you Peter. It is always a pleasure to participate in the FindBiometrics’ events and I look forward to seeing what you guys have cooked up for us in 2015.